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CLAIMS: 



1. A method of automatically obtaining a second 
certificate for a user using a first certificate, the method 

3 comprising: 

4 accessing a registration server using a user's 
server and the first certificate of the user to create a 
connection that authenticates both the user's server identity 
via a server certificate of the user server and the user's 
identity via the user's first certificate; 

creating a secure data channel between the 
5j10 registration server and the user server; 

forwarding a request for the second certificate from 
f5l2 the user server to the registration server; 

determining in the registration server that the user 
is entitled to the second certificate; 

forwarding a request from the registration server to 
an authority to generate a private/public key pair; 

sending the private key to the user from the 
authority via the secure data channel; 

sending the public key from the authority to another 

authority to be signed; and 

forwarding the second certificate from the another 

authority to a directory. 
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2. The method of claim 1, further comprising sending a 
backup copy of the private key from the authority to a key 
recovery authority. 

3. The method of claim 1, wherein the first certificate 
comprises a signature certificate. 

4. The method of claim 1, wherein the second 
certificate comprises an encryption certificate. 

5. The method of claim 1, wherein the first certificate 
comprises an expiring signature certificate and the second 
certificate comprises a replacement signature certificate. 

6. The method of claim 1, wherein the first certificate 
comprises a signature certificate and the second certificate 
comprises a replacement encryption certificate. 

7. The method of claim 1, wherein the first certificate 
comprises a signature certificate and the second certificate 
comprises one of either the user's current encryption 
certificate or an expired encryption certificate of the user. 
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8. A method of automatically obtaining a second 
certificate for a user using a first certificate, the method 



3 comprising: 

accessing a server platform using a user's server 

and the first certificate of the user to create a connection 
that authenticates both the user's server identity via a 
server certificate of the user server and the user's identity 
via the user's first certificate; 

creating a secure data channel between the server 

i 10 platform and the user server; 
i 11 forwarding a request for the second certificate from 

the user server to the server platform; and 

generating at the server platform the second 
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14 certificate. 
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yi. The method of claim 8, wherein the first certificate 
comprises a signature certificate. 

^. The method of claim 8, wherein the second 
2 certificate comprises an encryption certificate. 

1 /J! The method of claim 8, wherein the first certificate 

2 comprises an expiring signature certificate and the second 

3 certificate comprises a replacement signature certificate. 
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1 The method of claim 8, wherein the first certificate 

2 comprises a signature certificate and the second certificate 

3 comprises a replacement encryption certificate. 

1 The method of claim 8, wherein the first certificate 

2 comprises a signature certificate and the second certificate 

3 comprises one of either the user's current encryption 

4 certificate or an expired encryption certificate of the user. 

1 /^. An apparatus for automatically obtaining a second 

2 certificate for a user using a first certificate, the 

3 apparatus comprising: 

4 a user server and a registration server, the user 

5 server accessing the registration server using the first 

6 certificate of the user to create a connection that 

7 authenticates both the user's server identity via a server 

8 certificate of the user server and the user's identity via the 

9 user's first certificate; 

10 a secure data channel, the secure data channel being 

11 disposed between the registration server and the user server, 

12 the user server forwarding a request for the second 

13 certificate to the registration server through the secure data 

14 channel; 

15 a first authority, the registration server 

16 determining that the user is entitled to the second 
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certificate and forwarding a request to the first authority to 
generate a private/public key pair, the first authority 
sending the private key to the user via the secure data 
channel; 

a second authority, the first authority sending the 
public key to the second authority to be signed; and 

a directory, the second authority forwarding the 
second certificate to the directory. 



atus of claim yS, i 



■\n. The apparatus of claim 1/^,' wherein the first 
certificate comprises a signature certificate, 
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VB. The apparatus of claim 1 



1j6, wherein 



the second 

certificate comprises an encryption certificate. 

1^. The apparatus of claim 1^, wherein the first 
certificate comprises an expiring signature certificate and 
the second certificate comprises a replacement signature 
certificate . 

'> A 

Jo. The apparatus of claim 1^, 'wherein the first 
certificate comprises a signature certificate and the second 
certificate comprises a replacement encryption certificate. 
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f^l. The apparatus of claim ^//wherein the first 

2 certificate comprises a signature certificate and the second 

3 certificate comprises one of the user's current encryption 

4 certificate and an expired encryption certificate of the user. 

1 An apparatus for automatically obtaining a second 

2 certificate for a user using a first certificate, the 

3 apparatus comprising: 

£3 4 a user server and a server platform, the user server 

I 5 accessing the server platform using the first certificate of 

% 6 the user to create a connection that authenticates both the 

S 7 user's server identity via a server certificate of the user 

I 8 server and the user's identity via the user's first 

. # 9 certificate; 
^vnS 10 a secure data channel, the secure data channel being 

^ S disposed between the server platform and the user server; 

12 the user server forwarding a request for the second 

13 certificate to the server platform; and 

14 the server platform generating the second 

15 certificate. 

1 ^3. The apparatus of claim ^,^wherein the first 

2 certificate comprises a signature certificate. 



-29- 




T^^Docket No. 15-0231 

The apparatus of claim ^^^herein the second 
certificate comprises an encryption certificate. 

The apparatus of claim wherein the first 

certificate comprises an expiring signature certificate and 
the second certificate comprises a replacement signature 
certificate . 
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[ye. The apparatus of claim 2/f^herein the first 
certificate comprises a signature certificate and the second 
certificate comprises a replacement encryption certificate. 



. The apparatus of claim QfT, v 



The apparatus of claim "ifr, wherein the first 
certificate comprises a signature certificate and the second 
certificate comprises one of either the user's current 
encryption certificate or an expired encryption certificate of 
the user. 
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